---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: capz-controller-manager
  namespace: d8-cloud-provider-zvirt
  {{- include "helm_lib_module_labels" (list . (dict "app" "capz-controller-manager")) | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: d8:cloud-provider-zvirt:capz-controller-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "capz-controller-manager")) | nindent 2 }}
rules:
- apiGroups:
    - cluster.x-k8s.io
  resources:
    - clusters
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - cluster.x-k8s.io
  resources:
    - clusters/status
  verbs:
    - get
- apiGroups:
    - cluster.x-k8s.io
  resources:
    - machines
  verbs:
    - delete
    - get
    - list
    - patch
    - update
    - watch
- apiGroups:
    - cluster.x-k8s.io
  resources:
    - machines/status
  verbs:
    - get
    - patch
    - update
- apiGroups:
    - ""
  resources:
    - nodes
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - ""
  resources:
    - secrets
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - deckhouse.io
  resources:
    - zvirtinstances
  verbs:
    - get
    - list
    - patch
    - update
    - watch
- apiGroups:
    - deckhouse.io
  resources:
    - zvirtinstances/status
  verbs:
    - get
    - patch
    - update
- apiGroups:
    - events.k8s.io
  resources:
    - events
  verbs:
    - create
- apiGroups:
    - infrastructure.cluster.x-k8s.io
  resources:
    - zvirtclusters
  verbs:
    - get
    - list
    - patch
    - update
    - watch
- apiGroups:
    - infrastructure.cluster.x-k8s.io
  resources:
    - zvirtclusters/status
  verbs:
    - get
    - patch
    - update
- apiGroups:
    - infrastructure.cluster.x-k8s.io
  resources:
    - zvirtmachines
  verbs:
    - get
    - list
    - patch
    - update
    - watch
- apiGroups:
    - infrastructure.cluster.x-k8s.io
  resources:
    - zvirtmachines/finalizers
  verbs:
    - update
- apiGroups:
    - infrastructure.cluster.x-k8s.io
  resources:
    - zvirtmachines/status
  verbs:
    - get
    - patch
    - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:cloud-provider-zvirt:capz-controller-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "capz-controller-manager")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:cloud-provider-zvirt:capz-controller-manager
subjects:
- kind: ServiceAccount
  name: capz-controller-manager
  namespace: d8-cloud-provider-zvirt

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: capz-controller-manager-leader-election-role
  namespace: d8-cloud-provider-zvirt
  {{- include "helm_lib_module_labels" (list . (dict "app" "capz-controller-manager")) | nindent 2 }}
rules:
- apiGroups:
    - ""
  resources:
    - configmaps
  verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
- apiGroups:
    - coordination.k8s.io
  resources:
    - leases
  verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
- apiGroups:
    - ""
  resources:
    - events
  verbs:
    - create
    - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: capz-controller-manager-leader-election-role
  namespace: d8-cloud-provider-zvirt
  {{- include "helm_lib_module_labels" (list . (dict "app" "capz-controller-manager")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: capz-controller-manager-leader-election-role
subjects:
- kind: ServiceAccount
  name: capz-controller-manager
  namespace: d8-cloud-provider-zvirt
